CVE-2025-6755 is a critical security vulnerability identified in the Game Users Share Buttons plugin for WordPress, affecting all versions up to and including 1.3.0. The vulnerability is classified as CWE-22, which refers to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. The root cause lies in insufficient validation of file paths within the ajaxDeleteTheme() function. Specifically, the plugin fails to properly sanitize the themeNameId parameter in AJAX requests, allowing an attacker with Subscriber-level privileges to craft malicious requests containing arbitrary file paths such as '../../../../wp-config.php'. This can lead to arbitrary file deletion and potentially remote code execution (RCE) if critical files are deleted or manipulated. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require low-level privileges (Subscriber role) within the WordPress environment. The CVSS v3.1 score is 8.8 (high severity), reflecting the ease of exploitation combined with the significant impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the vulnerability poses a substantial risk due to the widespread use of WordPress and the plugin's capability to escalate a low-privilege user to execute arbitrary code or disrupt site operations. The lack of a patch at the time of publication further increases the urgency for mitigation.

For European organizations, this vulnerability presents a serious threat, especially for those relying on WordPress-based websites for business operations, e-commerce, or public-facing services. Exploitation could lead to unauthorized deletion of critical files, including configuration files like wp-config.php, which may expose database credentials and other sensitive information. This can result in data breaches, website defacement, service downtime, and potential remote code execution, allowing attackers to gain further control over the web server and internal networks. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitivity of their data and regulatory requirements like GDPR. The disruption caused by such an attack could lead to financial losses, reputational damage, and legal consequences. Additionally, the ability for a low-privilege user to exploit this vulnerability increases the attack surface, as attackers may compromise or create Subscriber accounts through phishing or other means to leverage this flaw.

Given the absence of an official patch at the time of reporting, European organizations should implement immediate compensating controls. These include: 1) Restricting Subscriber-level account creation and monitoring for suspicious account activity to prevent unauthorized access. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block malicious AJAX requests targeting the ajaxDeleteTheme() function or containing path traversal patterns in the themeNameId parameter. 3) Conducting regular file integrity monitoring to detect unauthorized file deletions or modifications, especially for critical files like wp-config.php. 4) Limiting file system permissions for the WordPress installation to prevent deletion or modification of sensitive files by the web server user. 5) Isolating WordPress instances in segmented network zones to reduce lateral movement if exploitation occurs. 6) Keeping all other WordPress plugins and core components updated to minimize the overall attack surface. Once an official patch is released, organizations must prioritize its deployment. Additionally, performing thorough audits of user roles and permissions and educating administrators about the risks of low-privilege account misuse will strengthen defenses.